CVE-2026-40799

Vulnerability

The Simple Cloudflare Turnstile plugin for WordPress, in versions 1.38.0 and earlier, contains a broken authentication vulnerability that can be exploited without prior authentication. The flaw resides in the plugin's authentication mechanism, allowing unauthenticated attackers to bypass access controls and perform actions that should only be available to higher-privileged users [1].

Exploitation

An attacker needs only network access to a WordPress site running the vulnerable plugin. No authentication is required. The attacker can directly abuse the broken authentication logic to execute privileged actions, such as modifying plugin settings or escalating privileges, without needing any user interaction or specific configuration [1].

Impact

Successful exploitation enables the attacker to perform actions normally reserved for higher-privileged users, which may include gaining administrative access to the WordPress site [1]. This leads to a compromise of confidentiality, integrity, and availability, as the attacker could take full control of the site.

Mitigation

The vulnerability is fixed in version 1.38.1, released on 2026-06-15 or shortly before. Users are strongly advised to update to 1.38.1 or later immediately. For sites that cannot be updated promptly, hosting provider or developer assistance should be sought to apply the patch. The vulnerability is not currently listed on the CISA KEV, but given its use in mass-exploit campaigns, prompt patching is critical [1].